The present invention relates to the field of private network security and, more particularly, to protecting private networks from leakage or extraction of information or insertion of unapproved material when the clients are connected to the private network or not connected (i.e., working online or offline).
Commercial corporations, enterprises, organizations, such as government, health, military, financial, etc., face several computer security concerns. One of these concerns is the leakage of information from their internal computer network to the outside world. The threat of information leakage may come from outsiders as well as from inside the organization by disloyal or careless employees.
Internal employees may use their permission to gain access to the enterprise's information, download the information to their client computer and then transfer the information to an external device. The external device may be a removable storage device (e.g. flash memory, such as but not limited to, DiscOnKey or a removable hard disk drive), a removable storage media (e.g., floppy disk or writable CD ROM), a PDA, a cellular phone, WiFi dongle, MP3 player, Bluetooth dongle, printer, digital camera, tokens, etc. DiskOnKey is a registered trademark of M-Systems. A PDA is an acronym for Personal Digital Assistant, a handheld device that may have computing, telephone/fax, Internet and networking features. Communication with such external devices may be done over a variety of data communication physical ports such as USB, FireWire, PCMCIA bus, SCSI bus, iSCSI, Cellular, Infiniband, Serial, Parallel, LAN port, Fiber Channel, Infrared, wireless communication such as but not limited WiFi, Bluetooth, etc.
Another device that may be used for transferring information out of an organization is the employee's portable computer (e.g. a laptop computer, a cellular device). Today, in many organizations, a peer may have a laptop computer instead of, or in addition to his desktop computer. An employee can easily copy valuable information onto the laptop and then carry it out. Subsequently, when the laptop is not connected to the private network, the valuable information can be copied, undetectably, to another storage device.
One common approach to deal with this type of security threat is by preventing access to valuable information or preventing the transfer of valuable information to external devices. Preventing the access to the information may be done physically or by software means. In addition, a user's ability to access an external storage device for the purpose of transferring information can also be prevented using physical or software techniques. However such common methods have a significant adverse effect, they can easily reduce the productivity of the users within an organization because the users may need to access the valuable information or external storage devices during day-to-day operations.
Therefore, there is a need in the art for new method that may offer a wider variety of options for controlling the transfer of information and the access to external devices. A technique for addressing this need in the art would preferably (a) permit a user to transfer certain files but prevent files containing more sensitive or valuable information from being transferred or (b) may allow access to some of the functions of an external device while preventing access to other features. For example, the technique may allow a user to synchronize his or her personal diary in the user's personal computer with the diary in his or her PDA yet prevent other files from being transferred to the PDA.
Furthermore, there is a need in the art for a method that may verify the environment to which a portable device is connected and restrict information access or information transfer capabilities based on the environment. For instance, once a device is interconnected to an environment, the restriction options associated with this environment can be checked to determine the actions and access privileges allowed in this location and thus, a decision regarding information access and transfer can be determined. This decision may be based, at least in part, on a security policy that is loaded into the portable device. In addition, there is a need in the art for a method that can analyze nesting of a communication protocol within another communication protocol.